Major cybersecurity hacks are all too common, which is why I feel compelled yell as loudly as I can to Credit Union CEOs, “Patch! Patch again, and patch some more!” There are 6000 Credit Unions with about 100M consumers’ information. Alone, Equifax had that much data at risk, and they blew it. While, of course, we are smaller organizations and our targets aren’t as big, we will continue to see major hacks and breaches. Plus, hackers will eventually target smaller targets as big targets get stronger.
Most cyber experts agree that the number one thing you can do to protect yourself and your Credit Union is patching. So it begs the question: Why don’t we?
There are four major cultural reasons in technology and Credit Unions that cause the unpatched phenomena, and it is up to the CEO to alter this playbook!
1.Conflicting Priorities – One of the largest goals of any IT person is maintaining uptime. However, this goal generally counters best practices in security. The most common question Ongoing Operations gets about its patching practices is, “How do you make sure that patching doesn’t break something?” The reality is software patches that “break things” are uncommon. Of course, when they do, it is painful for all involved since a bad patch can destroy key incentives around uptime. Frankly, this is a red herring. Uptime is absolutely important but NOT as important as security. Go ahead and tell your IT person that it is ok to patch first and patch everything. It’s in your best interest to accept some downtime in the process. Think of it this way, if you don’t patch the small leaks, they eventually become big leaks and require expensive replacements. Footnote: Before beginning your aggressive patching initiative, you MUST make sure you have good backups! If you don’t or you’re not sure, check first take care of that issue immediately. Then, patch away!
- Lack of Visibility – The CEO needs to take responsibility and push to have full transparency into the patching process. This issue has more liability than HR issues but most Credit Union CEOs refuse to learn the process and impacts of patching (and not patching) the way they understand HR laws. Get to know your Credit Unions patching methodology, help your teams simplify it, and push to know its status at all times.
- Boredom Avoidance – Let’s face it. Patching hundreds of workstations, printers, firewalls, routers, servers, etc. is pretty monotonous. Find a tool (like Ongoing Operations’ CU Control) product and automate the heck out of the patching process. Make this equivalent to counting teller drawers and cash vaults and involve your supervisory committee. Don’t allow old vulnerabilities to linger. This can be an efficient and painless process, but you have to put in a little work on the front end.
- The Lowest Common Denominator Effect – The last major issue really comes down to the company you keep. Essentially, if you have subpar software providers who take a while to patch their stuff, this can trigger downstream issues for the Credit Union. If there is an untested or incompatible version from a key vendor, then the Credit Union is left to wait until the software provider gets their act together. Unfortunately, when it comes to patching procrastination, this is the most common reason and pain point. We highly recommend instituting a good dashboard or scorecard for your Credit Union’s patching, and also one that maps out the dependencies and performance of your key software providers.
I’m encouraging you to establish the necessary precautions for your Credit Union’s safety through patching. The reasons above are the barriers, but you need to push through those because, ultimately, it’s just like locking the doors of your house every night. It’s not hard, and forgetting to do it may result in grave consequences. So, patch your damn stuff and improve your odds that you won’t wind up in Equifax CEO’s shoes.